And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

That doesn't tell us much. If the vendors confirm that they sometimes get informed of bugs by the NSA then that will prove only that his statement wasn't a complete lie. It tells us nothing about the percentage of bugs they find but don't reveal.

“The default is to disclose vulnerabilities in products and systems used by the US and its allies”

Considering what the NSA does to the US' allies (eg: Merkel/Germany) I find it hard to believe a word of what was said.

A:"Guys, we were instructed to stop hacking Merkel"B:"Well can we hack every single person who has every come in contact with Merkel and install RATs on every device they own?"A:"I assumed that was implied"

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

That doesn't tell us much. If the vendors confirm that they sometimes get informed of bugs by the NSA then that will prove only that his statement wasn't a complete lie. It tells us nothing about the percentage of bugs they find but don't reveal.

Not to mention the time frame between discovery and reporting. They could sit on these for a while before notifying the devs.

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

That doesn't tell us much. If the vendors confirm that they sometimes get informed of bugs by the NSA then that will prove only that his statement wasn't a complete lie. It tells us nothing about the percentage of bugs they find but don't reveal.

Not to mention the time frame between discovery and reporting. They could sit on these for a while before notifying the devs.

Thanks, I was scanning to comments to see if anyone else brought up this critical point. My unsubstantiated guess is if the zero day is considered an especially good one, they will not disclose until it is being actively exploited by other parties and that the harm of the exploit toward U.S. concerns hits a certain point.

So you have to wonder how many of these exploits and backdoor they deliberately kept secret because it helped their illegal data collection (4th amendment violations) of 100's of millions of Americans, that someone else discovered and used to say, steal credit card and user information from places like Amazon, or Target?

They have proven over and over again they have no credibility. They are either the agency that cried wolf, or they are the Chicken Little of our government. Either way, only a fool would give them any credibility.

Plausible deniability only works if you have credibility. The Chinese government, the Russian government, the North Korean government, and now, thanks to their continual lying about their illegal activities concerning violations of the 4th amendment, the American government has lost all credibility.

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

As others have stated, there's no way to know how many exploits they find, how long between the time they find them and they notify the vendor. We might be able to get some decent idea of the severity trends, but we also don't know if they even completely disclose the problem. Perhaps they have a tendency to narrowly define a broad vulnerability so that they can still use it under certain circumstances.

"National Security Agency director nominee Vice Admiral Michael Rogers said that the NSA is working with the White House to create a process to determine what to do with zero-day vulnerabilities that the agency UNCOVERS." [emphasis added]__________________________________

What about the vulnerabilities the NSA INTRODUCES onto our systems? The NSA is the biggest threat to our national electronic/communications infrastructure, far more than any terrorist could ever hope to be. The weaknesses the NSA is holding in its back pocket are exactly those that the criminals and terrorists *will* find and exploit in time, given that a terrorist or criminal can depend on the NSA not to fix our systems of such vulnerabilities.

I am more comfortable with malicious hackers knowing zero day exploits than the NSA. If a person practices safe computing, they can be fairly safe from zero day exploits anyway. Not that it matters a whole hell of a lot. The entire Internet has been compromised and everything can be monitored from anybody.

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

That doesn't tell us much. If the vendors confirm that they sometimes get informed of bugs by the NSA then that will prove only that his statement wasn't a complete lie. It tells us nothing about the percentage of bugs they find but don't reveal.

Much as I don't like being spied upon, the NSA's job is gathering intelligence deemed relevant to national security. (A job assigned to them by one democratically elected government after another.) It may well be that recently they have taken that job too far, by essentially dropping the "relevant to national security" qualification (which, of course, was ill-defined to begin with). But no matter how you look at it, their job was never to use tax money to debug commercial software products. From the NSA's point of view, it all comes down to national security: does the advantage of being able to use an exploit outweigh the risk of an adversary using the same exploit? As you would expect, and as Rogers confirmed, sometimes the answer goes one way, other times another.

NSA has a deeply flawed idea to keep zero day exploits a secret. not only to screw yourself with keeping them holes on your equipment. but everyone else in the world will have the same problem. there is no telling who else will use those same exploits to get into the NSA's system and its citizens

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

That doesn't tell us much. If the vendors confirm that they sometimes get informed of bugs by the NSA then that will prove only that his statement wasn't a complete lie. It tells us nothing about the percentage of bugs they find but don't reveal.

Much as I don't like being spied upon, the NSA's job is gathering intelligence deemed relevant to national security. (A job assigned to them by one democratically elected government after another.) It may well be that recently they have taken that job too far, by essentially dropping the "relevant to national security" qualification (which, of course, was ill-defined to begin with). But no matter how you look at it, their job was never to use tax money to debug commercial software products. From the NSA's point of view, it all comes down to national security: does the advantage of being able to use an exploit outweigh the risk of an adversary using the same exploit? As you would expect, and as Rogers confirmed, sometimes the answer goes one way, other times another.

I wouldn't expect it because it's absolutely ridiculous. We are more secure when we are more secure. There's reasonable debate about public disclosure, but the notion that we should save vulnerabilities to use against theoretical bad guys is nuts, especially when you consider that the NSA's internal security is itself incredibly poor. The NSA has information on how to take over countless machines, has tons of information on everyone in the world, and poor enough internal security that a fairly low level worker using basic social engineering was able to acquire a massive archive of secret information. The NSA is probably the greatest threat to national security the US has seen in decades.

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

That doesn't tell us much. If the vendors confirm that they sometimes get informed of bugs by the NSA then that will prove only that his statement wasn't a complete lie. It tells us nothing about the percentage of bugs they find but don't reveal.

Much as I don't like being spied upon, the NSA's job is gathering intelligence deemed relevant to national security. (A job assigned to them by one democratically elected government after another.) It may well be that recently they have taken that job too far, by essentially dropping the "relevant to national security" qualification (which, of course, was ill-defined to begin with). But no matter how you look at it, their job was never to use tax money to debug commercial software products. From the NSA's point of view, it all comes down to national security: does the advantage of being able to use an exploit outweigh the risk of an adversary using the same exploit? As you would expect, and as Rogers confirmed, sometimes the answer goes one way, other times another.

The NSA, as well as US Cyber Command, regularly claims to be working to protect American businesses from hackers and cyber-espionage. Former NSA employees often take jobs (sometimes high-ranking positions) with computer security companies, claiming a desire to defend the American economy from digital spying and sabotage. They advertise their research and their active defensive capabilities as an asset to the American economy.

Combining these claims with the Tailored Access Operations group under one leader and hiding vulnerabilities in widely used software is a direct conflict of interest.

And I'm sure we all believe that this time they're really telling the truth. They have such good credibility after all.

While I doubt the overall credibility of the NSA as well, this claim is unique: it can be independently verified. We would have to query various software vendors who/what/where a vulnerability notification came from. I doubt the NSA's veil of secrecy would extend that beyond when a patch has been released for the zero day exploit.

That doesn't tell us much. If the vendors confirm that they sometimes get informed of bugs by the NSA then that will prove only that his statement wasn't a complete lie. It tells us nothing about the percentage of bugs they find but don't reveal.

Much as I don't like being spied upon, the NSA's job is gathering intelligence deemed relevant to national security. (A job assigned to them by one democratically elected government after another.) It may well be that recently they have taken that job too far, by essentially dropping the "relevant to national security" qualification (which, of course, was ill-defined to begin with). But no matter how you look at it, their job was never to use tax money to debug commercial software products. From the NSA's point of view, it all comes down to national security: does the advantage of being able to use an exploit outweigh the risk of an adversary using the same exploit? As you would expect, and as Rogers confirmed, sometimes the answer goes one way, other times another.

I wouldn't expect it because it's absolutely ridiculous. We are more secure when we are more secure. There's reasonable debate about public disclosure, but the notion that we should save vulnerabilities to use against theoretical bad guys is nuts, especially when you consider that the NSA's internal security is itself incredibly poor. The NSA has information on how to take over countless machines, has tons of information on everyone in the world, and poor enough internal security that a fairly low level worker using basic social engineering was able to acquire a massive archive of secret information. The NSA is probably the greatest threat to national security the US has seen in decades.

This is the point that the NSA should have learned from being owned from within. They should have known better than to trust an outside company to hire secure workers to oversee their crown jewels. Boose Allen is one of the most profitable companies that feeds at the public trough and you can bet they know where several skeletons are buried in the pentagon and in Congress.

I am no fan of how publically the NSA has been dragged out to the wood shed, but the longer this goes on the worse they look. If we can't trust them then who will we trust? I mean the alternative is the corporations who probably know of many zero day expliots and hackers in general. Someone has to have this responsibility. I don't see any alternative to some defense department entity. They do have Congress and the President who have given them their approval. This is how our system works. We should give Snowden what ever he wants just to get him back and away from the rest of the world. I believe he is both a patriot and the worst spy we have ever had. There is no way to know what he has without dealing directly with him. The fact that the NSA and the American Government did not recognize this from the very beginning makes them seem even more incompetent. We cannot afford to be incompetent at spying. It is a basic requirement of any Nation State.

The other problem is that if Snowden owned them from within, then how many Russian, Chinese, Israeli, and other countries have managed to get assets into the National Security Agency?